Block Cyberghost IPs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Block Cyberghost IPs

L2 Linker

I see a lot of threat (thousands in a few minutes) to one of my webservers from IP 176.10.115.140.

This IP belongs to cyberghost, so probably someone used this to hide his own IP and attack our webserver.

Is there a way to block this traffic (before the threat prevention blocks it)?

 

I know I can try to block this ip (or even the scope), but when someone on the outside tries to hide his IP address when reaching my server, his intensions are probably no good. I would like to block everyone “entering” my network who is trying to hide its IP. Is there some kind of “external dynamic list” which can help me accomplish this?

2 REPLIES 2

Cyber Elite
Cyber Elite

@Sjoerd,

What you are asking for is essentially blocking access to every single VPN or Proxy provider, that's not a very viable solution. You might want to take a look at DoS profiles and Zone Protection limits and setup a DoS profile for the IP address that is getting hit. There really isn't a viable solution to blocking every single outside provider that someone could use to hide their IP, not to mention even if you identified the true source IP it wouldn't matter since your firewall sees the traffic coming from the listed source. 

Most of these types of attacks are not truly targeted, and you just got caught up in someones scripted attack. Try blocking the IP your see the traffic coming from and see if the IP changes, generally it would not. 

Cyber Elite
Cyber Elite

Hello,

There are dynamic lists that are publically available. Here are a few links to help out. However I think ou are looking for something that @BPry suggested and that is a dynamic block. We have ours set to 3600 (seconds) so at least the attacker is blocked for one hour at a time.

 

 

Source on PAN support:

https://live.paloaltonetworks.com/message/54183#54183

 

Sans notes on this:

https://isc.sans.edu/forums/diary/Subscribing+to+the+DShield+Top+20+on+a+Palo+Alto+Networks+Firewall...

 

Others listed on this site:

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

http://malc0de.com/bl/IP_Blacklist.txt

http://panwdbl.appspot.com/lists/openbl.txt

http://panwdbl.appspot.com/

http://cinsscore.com/list/ci-badguys.txt

 

Cheers!

  • 2078 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!